Re: IUSR trying to run cmd.exe... who is it?
From: BB (Bernard_at_3exp.com)
Date: 12/25/02
- Next message: Egbert Nierop \(MVP for IIS\): "Re: IUSR trying to run cmd.exe... who is it?"
- Previous message: BB: "Re: OE blocking incoming attachments"
- In reply to: Agustin Chernitsky: "IUSR trying to run cmd.exe... who is it?"
- Next in thread: Agustin Chernitsky: "Re: IUSR trying to run cmd.exe... who is it?"
- Reply: Agustin Chernitsky: "Re: IUSR trying to run cmd.exe... who is it?"
- Reply: Agustin: "Re: IUSR trying to run cmd.exe... who is it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "BB" <Bernard_at_3exp.com> Date: Wed, 25 Dec 2002 11:41:05 +0800
Nothing in IIS Log ? if you have urlscan, check urlscanxxxx.log.
Any idea what's process id 2704. anything in event log ?
Ensure your server is up to date. refer
www.microsoft.com/security/
also can refer
http://securityadmin.info/faq.htm#harden
Rgds.
"Agustin Chernitsky" <agustinchernitskyNOSPAM@hotmail.com> wrote in message
news:ulY7aW6qCHA.2372@TK2MSFTNGP12...
> Hi guys,
>
> For security reasons, I removed permissions from many files in win2k
system
> and added auditting to them. I keep getting this audit event (sometimes 3
> times in a day. others 10 times in a day, all in a row) :
>
> <<<<
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 23/12/2002
> Time: 09:33:03 p.m.
> User: WWW01\IUSR_VGSVR
> Computer: WWW01
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: C:\WINNT\system32\CMD.EXE
> New Handle ID: -
> Operation ID: {0,139507346}
> Process ID: 2704
> Primary User Name: IUSR_VGSVR
> Primary Domain: WWW01
> Primary Logon ID: (0x0,0x12BEC)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses SYNCHRONIZE
> Execute/Traverse
>
> Privileges -
> >>>>
>
> It seems like one of my sites is trying to execute something with the
shell.
> I don't belive it's a hacker or code red (I have up to SP3 installed).
>
> I searched all the logs for this month (looking for the text cmd) but
> nothing. So this narrows the search to my users code.
>
> Any ideas on how to detect which web site is doing this??
>
> Thanks!!
>
> Agustin.
>
>
>
>
- Next message: Egbert Nierop \(MVP for IIS\): "Re: IUSR trying to run cmd.exe... who is it?"
- Previous message: BB: "Re: OE blocking incoming attachments"
- In reply to: Agustin Chernitsky: "IUSR trying to run cmd.exe... who is it?"
- Next in thread: Agustin Chernitsky: "Re: IUSR trying to run cmd.exe... who is it?"
- Reply: Agustin Chernitsky: "Re: IUSR trying to run cmd.exe... who is it?"
- Reply: Agustin: "Re: IUSR trying to run cmd.exe... who is it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
